.mega-linter.yml

# Configuration file for MegaLinter
# See all available variables at https://oxsecurity.github.io/megalinter/configuration/ and in linters documentation

IGNORE_GITIGNORED_FILES: true

# all, none, or list of linter keys
APPLY_FIXES: none
DISABLE_LINTERS:
  - MARKDOWN_MARKDOWN_TABLE_FORMATTER
  - MARKDOWN_MARKDOWN_LINK_CHECK
  - COPYPASTE_JSCPD
  - REPOSITORY_DEVSKIM
  - SPELL_PROSELINT
  - SPELL_CSPELL
  - JAVASCRIPT_STANDARD
  - SQL_TSQLLINT
  - PYTHON_PYLINT
  - JAVA_PMD
  - PYTHON_PYRIGHT
  # error - python package "--hash" is available for public registration. /github/workspace/src/query/tests/e2e/requirements.txt
  - REPOSITORY_DUSTILOCK
  # too many false-positives and takes forever
  - YAML_V8R
  # seems to ignore yamllint config file entirely
  - YAML_YAMLLINT
  - SPELL_LYCHEE
  # failing on previously existing CVEs in PRs isn't entirely helpful.
  # ideally should be part of a regularly scheduled check instead
  - REPOSITORY_GRYPE

SHOW_ELAPSED_TIME: true
FILEIO_REPORTER: false
# DISABLE_ERRORS: true # Uncomment if you want MegaLinter to detect errors but not block CI to pass

BASH_SHELLCHECK_FILTER_REGEX_EXCLUDE: (fhir/ig)

BASH_SHFMT_ARGUMENTS:
  - "--indent=2"

ADDITIONAL_EXCLUDED_DIRECTORIES:
  - "node_modules"

GROOVY_NPM_GROOVY_LINT_ARGUMENTS:
  - "--failon=warning"

JAVA_CHECKSTYLE_CONFIG_FILE: src/config/checkstyle/checkstyle.xml

REPOSITORY_TRIVY_ARGUMENTS:
  - "--severity=HIGH,CRITICAL"
  - "--ignore-unfixed"

REPOSITORY_CHECKOV_ARGUMENTS:
  - "--skip-path=tests/"
  - "--skip-path=src/hack/"
  - "--skip-path=docker-compose/"
  - "--skip-path=src/list/frontend/deploy/data/"

REPOSITORY_KICS_ARGUMENTS:
  - --fail-on=HIGH

REPOSITORY_KICS_CONFIG_FILE: .kics.yaml